MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 19

Intelligence 19 IOCs YARA 8 File information Comments

SHA256 hash:	fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
SHA3-384 hash:	e6bd355c1556bedaf2456c3ccbdfee593edea6feb456a5c9066e0aa79978b59bfaa090fe2b0cb1553944c0df5ca703b6
SHA1 hash:	61b66f60a20f0f76446f79807d8f8d01cf457a9e
MD5 hash:	cc82de91dc97bd82b7d032e5c12ca39e
humanhash:	enemy-virginia-skylark-spaghetti
File name:	SecuriteInfo.com.Variant.Application.FCA.2785.19270.17921
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	669'184 bytes
First seen:	2025-10-29 08:43:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:v58smqWcEd1ne1jGmNxDHyKqTdvlrCrBiQahKRC+dXKQaDrxfOWRa:OsmhcMe1jPPq1lrjQXC5/DrlOW0
TLSH	T161E402013395C713C9AB67B128B2F27957F87E9EA821D3164EC96DEB7462F005D18B83
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Variant.Application.FCA.2785.19270.17921

Verdict:

Malicious activity

Analysis date:

2025-10-29 08:45:25 UTC

Tags:

stealer ultravnc rmm-tool telegram exfiltration agenttesla ims-api generic

Link:

https://app.any.run/tasks/69cf7879-46b5-43cb-9a95-fdccaabfe29b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/34587/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6901d3c59942f1282ec9fd11

Tags:

virus krypt lien msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed vbnet

Link:

https://www.filescan.io/uploads/6901d3c0f1fa8cbc03115379/reports/39898830-f5a4-4bc1-9ea2-ec566608a4c2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-29T03:13:00Z UTC

Last seen:

2025-10-31T05:19:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286/results?tab=lookup

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cdbcec78-057a-4bcf-bcd0-1f9243298708

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.53 Win 32 Exe x86

Link:

https://app.malva.re/file/cc82de91dc97bd82b7d032e5c12ca39e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286/

Threat name:

Win32.Trojan.DarkCloud

Status:

Malicious

First seen:

2025-10-29 06:54:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7izbi2eapgunvydj7qc76tyueql4cxamjkkj2d6wmqaydrybukda._file

Verdict:

malicious

Label(s):

unc_loader_001

xworm

unc_loader_037

agenttesla

Similar samples:

error

RedLineStealer

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/251029-kmx7zse16a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4fa1550c-6259-4b62-82dd-cfc4e1ef54c7

Unpacked files

SH256 hash:

fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286

MD5 hash:

cc82de91dc97bd82b7d032e5c12ca39e

SHA1 hash:

61b66f60a20f0f76446f79807d8f8d01cf457a9e

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

SH256 hash:

81c878e71a82aa8f4175648d188a1f75acf99cd0b02ef0f48e814fb4f44f0fc0

MD5 hash:

2c401550efe4777b67fa67fb7cecdfbc

SHA1 hash:

e5515434b9685499ad38499f4b59ed8c017b88b4

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

SH256 hash:

49db931f373d5216dbed22e8feb454dc87a5670ed71ae6e6fb6db2d25ae89698

MD5 hash:

964b8bbd9d8ba5ef8ebade9780cfc2e5

SHA1 hash:

ea45abce046f73d21283b39f66bd943dc9c5e12a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

SH256 hash:

19ff9882f59bb3514899774602ed69d326cf4aa7e50781b638469d080e051c46

MD5 hash:

d294eed4f7ab068f8a118542c4128920

SHA1 hash:

f37c4518775033fe312ad9b5c3a79a14d3c0f5f5

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

SH256 hash:

55bac4190457ad9086da43ed7f7f1c88da89b3d6697eb61e7affa6c5062f8ca6

MD5 hash:

ac77f88389fef351964e93f0b3cd634b

SHA1 hash:

44cfd68b3a5ff9604378ff17b45d1d8fd8fbf3dc

Detections:

RedLine_Campaign_June2021

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

SH256 hash:

afa05c4b0e1c69b0a3b6e95bdeefd6331fb47ab1807994b82a1e1b0e5b960552

MD5 hash:

c1891fd27e7091267076b6b1e220954e

SHA1 hash:

5c8b46ba9b8a27b3c60faaaf46c82578297172a7

Detections:

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/b9fab075-0e0f-44a9-b67c-efb6c1782819/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fa3214688079/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/34587/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample